Share This Story!

Q&A: Is Java safe to use?

Question: If Java is so vulnerable, why is it on our browsers as option, and what does it do anyway? If it is "disabled," what can my computer not do? Answer. Once again, Oracle's Java software is in the news

This is not what people, myself included, hoped when Sun Microsystems released the first versions of Java in the mid-1990s. Back then, the idea was to make the Web more than a way to display words and pictures; you could instead embed a small Java program in a page, and anybody with Sun's Java virtual-machine software installed could run that "applet."

Those same developers figured out how to make complex, interactive Web pages without using Java or any other plug-in software. You can edit a spreadsheet in Google Docs, crop a photo in Yahoo's Flickr, and manage your e-mail in Microsoft's Outlook.com using nothing more than a modern browser.

That's why I advised turning off Java last year. Fortunately, it's now easier to do that: In Oracle's current release of Java, its Windows control panel and Mac System Preferences pane have an "Enable Java content in the browser" option under a "Security" heading. Click to clear that checkbox, and you're done worrying about hostile Java applets.

If you don't see that, you may need to update your Java first; check your version at java.com. Unfortunately, Oracle has continued Sun's abusive practive of bundling third-party junk in the Java installer. You'll need to opt out of it adding an Ask.com browser toolbar and changing your search default to that site.

(On a Mac, you may only have Apple's older Java software, which should already be disabled in Safari but may require some manual configuration in Mozilla Firefox and Google's Chrome.)

Uninstalling Java outright through the Windows control panel will make you even safer, but some desktop programs — for example, the Minecraft game, TiVo Desktop and the open-source Microsoft Office alternative LibreOffice — may require it for some features. I can see keeping Java around for those cases, but I can't justify anybody at home keeping it active in the browser, and I certainly can't endorse any Web developers continuing to use it on their sites.

Tip: Enable site-wide Yahoo Mail security

Years after competitors rolled out this feature, Yahoo quietly added an option to its Yahoo Mail service that will encrypt your use against snooping attempts — not just while you send your username and password, but even as you read and write e-mail.

This encryption — called both HTTPS, short for "hypertext transfer protocol secure," and SSL, for "Secure Sockets Layer" — became an option at Gmail in 2008 and the default there in 2010. Microsoft's various mail services added this choice in 2010 as well. Yahoo, however, contented itself with encrypting only your login; a hostile network, such as a rogue Wi-Fi hot spot, could have still read your e-mail.